Filling in the blanks: Ministerial Authorizations
In this blog post I'm going to try to identify the subject of the three Ministerial Authorizations (MAs) that CSE has used in recent years to enable its SIGINT program to operate.
Since the passage of Bill C-36 in 2001 gave CSE its first statutory mandate, the agency has used MAs to ensure that its SIGINT (and cyber defence activities) can incidentally intercept "private communications" without breaking the law. (For the purposes of the Criminal Code, private communications are communications that begin and/or end in Canada for which a reasonable expectation of privacy exists. Phone calls, e-mails, and text messages with at least one end in Canada are all examples of private communications.) The passage of Bill C-59 in 2019 altered the details of this regime, but its fundamentals remain the same: ministerial authorizations, now called Foreign Intelligence Authorizations and Cybersecurity Authorizations, remain necessary to enable CSE to operate legally.
These MAs have a duration of one year, after which they are renewed or replaced by a new MA. In 2011-12, CSE operated with eight MAs, six to cover SIGINT activities and two to cover cybersecurity activities. Since December 2012, however, CSE has obtained just four MAs per year, three for SIGINT and one for cybersecurity.
What the numbers are now under the new C-59 regime remains to be revealed.
My guess is that the number of Cybersecurity authorizations will increase. The number of SIGINT/Foreign Intelligence authorizations could also do so, but I'm less confident of that. The three SIGINT MAs that CSE standardized on in 2012 already covered every CSE collection activity that might risk the acquisition of a private communication, and it's possible that the Foreign Intelligence MAs will essentially be reflagged versions of those previous MAs. But the new authorizations are potentially broader, as they cover "any activity specified in the authorization in the furtherance of the foreign intelligence aspect of [CSE's] mandate." This includes all acquisition of information for the foreign intelligence program, other than publicly available information for which no reasonable expectation of privacy exists, whether or not private communications are potentially in play. So maybe we'll see more than three.
Presumably we'll find that out whenever the first public report of the new Office of the Intelligence Commissioner appears. CSE could easily have reported the numbers itself in its recent annual report, but that's just not the way the agency rolls.
Anyway. Back to the topic at hand.
CSE does a lot of different kinds of SIGINT collection activity, both directly and through the Canadian Forces Information Operations Group (CFIOG), so it's worth considering how the agency has managed to shoehorn all that stuff into just three annual SIGINT MAs since 2012.
The short answer is that the MAs cover classes of activities rather than individual collection programs.
Unfortunately, all information concerning how those classes are defined has always been withheld by the agency. See, for example, this memo discussing the switch from eight to four MAs in 2012.
Back in 2015 I concluded that one of those MAs was focused on the agency's Computer Network Exploitation (CNE) program, as I explained here.
But I was less sure about the other two SIGINT MAs, speculating that they might be divided between traditional circuit-switched communications, like telephone landlines, and the packet-switched communications used on the Internet.
I now think that was wrong. I recently reviewed this 2013 document and had an epiphany.
See how the telecommunications data collected by CSE is broken down into three broad sources? Computer-based sources—accessible through CNE activities—and two others?
Here's what I think CSE's three SIGINT MAs may be.
The first MA—Radio Frequency Collection—pertains to traffic transmitted through the air (e.g., satellite beams, HF/VHF/UHF or microwave radio traffic, cell phones, etc), which can therefore be collected using antennas, and the second—Cable Access Collection—pertains to traffic transmitted through cable systems, which thus requires hardware or software implants, physical intercept points, or the cooperation of telecommunications carriers for its collection. The third, as I thought before, pertains to CNE activities.
Now, I don't know for certain that these guesses are correct.
But I'm pretty confident that they are, although the wording I chose may or may not be quite right.
And I'm also confident that if CSE were to reveal that those categories are indeed the ones that define its SIGINT MAs, that information would reveal precisely nothing about CSE's sources and methods that the agency's targets don't already either know for a fact or at least take as a given.
Since the passage of Bill C-36 in 2001 gave CSE its first statutory mandate, the agency has used MAs to ensure that its SIGINT (and cyber defence activities) can incidentally intercept "private communications" without breaking the law. (For the purposes of the Criminal Code, private communications are communications that begin and/or end in Canada for which a reasonable expectation of privacy exists. Phone calls, e-mails, and text messages with at least one end in Canada are all examples of private communications.) The passage of Bill C-59 in 2019 altered the details of this regime, but its fundamentals remain the same: ministerial authorizations, now called Foreign Intelligence Authorizations and Cybersecurity Authorizations, remain necessary to enable CSE to operate legally.
These MAs have a duration of one year, after which they are renewed or replaced by a new MA. In 2011-12, CSE operated with eight MAs, six to cover SIGINT activities and two to cover cybersecurity activities. Since December 2012, however, CSE has obtained just four MAs per year, three for SIGINT and one for cybersecurity.
What the numbers are now under the new C-59 regime remains to be revealed.
My guess is that the number of Cybersecurity authorizations will increase. The number of SIGINT/Foreign Intelligence authorizations could also do so, but I'm less confident of that. The three SIGINT MAs that CSE standardized on in 2012 already covered every CSE collection activity that might risk the acquisition of a private communication, and it's possible that the Foreign Intelligence MAs will essentially be reflagged versions of those previous MAs. But the new authorizations are potentially broader, as they cover "any activity specified in the authorization in the furtherance of the foreign intelligence aspect of [CSE's] mandate." This includes all acquisition of information for the foreign intelligence program, other than publicly available information for which no reasonable expectation of privacy exists, whether or not private communications are potentially in play. So maybe we'll see more than three.
Presumably we'll find that out whenever the first public report of the new Office of the Intelligence Commissioner appears. CSE could easily have reported the numbers itself in its recent annual report, but that's just not the way the agency rolls.
Anyway. Back to the topic at hand.
CSE does a lot of different kinds of SIGINT collection activity, both directly and through the Canadian Forces Information Operations Group (CFIOG), so it's worth considering how the agency has managed to shoehorn all that stuff into just three annual SIGINT MAs since 2012.
The short answer is that the MAs cover classes of activities rather than individual collection programs.
Unfortunately, all information concerning how those classes are defined has always been withheld by the agency. See, for example, this memo discussing the switch from eight to four MAs in 2012.
Back in 2015 I concluded that one of those MAs was focused on the agency's Computer Network Exploitation (CNE) program, as I explained here.
But I was less sure about the other two SIGINT MAs, speculating that they might be divided between traditional circuit-switched communications, like telephone landlines, and the packet-switched communications used on the Internet.
I now think that was wrong. I recently reviewed this 2013 document and had an epiphany.
See how the telecommunications data collected by CSE is broken down into three broad sources? Computer-based sources—accessible through CNE activities—and two others?
Here's what I think CSE's three SIGINT MAs may be.
The first MA—Radio Frequency Collection—pertains to traffic transmitted through the air (e.g., satellite beams, HF/VHF/UHF or microwave radio traffic, cell phones, etc), which can therefore be collected using antennas, and the second—Cable Access Collection—pertains to traffic transmitted through cable systems, which thus requires hardware or software implants, physical intercept points, or the cooperation of telecommunications carriers for its collection. The third, as I thought before, pertains to CNE activities.
Now, I don't know for certain that these guesses are correct.
But I'm pretty confident that they are, although the wording I chose may or may not be quite right.
And I'm also confident that if CSE were to reveal that those categories are indeed the ones that define its SIGINT MAs, that information would reveal precisely nothing about CSE's sources and methods that the agency's targets don't already either know for a fact or at least take as a given.